Source:

Name server:

Response:

A 245 NS 2 SOA 1 Rsize 4016

Whois

% By submitting a query to RIPN's Whois Service% you agree to abide by the following terms of use:% http://www.ripn.net/about/servpol.html#3.2 (in Russian) % http://www.ripn.net/about/en/servpol.html#3.2 (in English).

Source:

Name server:

Response:

A 243 MX 2 NS 2 SOA 1 TXT 1 Rsize 4073

Whois

This whois service is provided by CentralNic Ltd and only containsinformation pertaining to Internet domain names we have registered forour customers. By using this service you are agreeing (1) not to use anyinformation presented here for any purpose other than determiningownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processesto obtain data from this service. Abuse of this service is monitored andactions in contravention of these terms will result in being permanentlyblacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.

Source:

Name server:

Response:

A 244 NS 2 SOA 1 Rsize 4005

Whois

% By submitting a query to RIPN's Whois Service% you agree to abide by the following terms of use:% http://www.ripn.net/about/servpol.html#3.2 (in Russian) % http://www.ripn.net/about/en/servpol.html#3.2 (in English).

Thursday, December 5, 2013

Today I found the domain "whoami.akamai.com" in my log files. After concluding that there was no amplification in there, I looked at who requested this domain. Normally there is one request for these 'new' domains. ( mostly an Ecatel IP ) But not today, over a hundred different IPs scrolled by..

The queries were also performed with only the Recursion Desired bit set, no eDNS as I usually see.

Most IPs only requested the domain once.. but why this domain? The IPs are scatered over a few AS-es:

WhoAmI.akamai.com
As it turns out this sub domain is something special.
The A record response for this domain is the IP from which the request come from. So if you run a local DNS server you will have your (WAN) IP returned. When using a remove DNS server, that IP will be returned. In case of a chain of forwarding DNS servers, the IP of that last one in the chain will be returned.

Google Public DNS:

dig whoami.akamai.com @8.8.8.8

....
;; ANSWER SECTION:

whoami.akamai.net. 94 IN A 74.125.17.147

My query was forwarded to 74.125.17.147 by Google. For load balancing purposes I guess. Perhaps using eDNS +client.

But why request this domain from every open DNS server in the world?

The people behind this scan can see the difference in 'open DNS servers' if it is a 'open resolver' or an 'open forwarder'. Perhaps this makes a significant difference when performing DNS amplification attacks.. perhaps it is just nice to know.

When the responses to these queries are properly logged on could generate a real nice graph of what open forwarders hide behind what open resolvers... I want that graph now!!

I am assuming there are a lot more open forwarders than there are open resolver. But I have no stats on that matter. Perhaps this was a small botnet making these requests.. but why request it so many times as the queries are almost all from China it cannot be related to Geo diversity. Pretty confusing.

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the
expiration date of the domain name registrant's agreement with the
sponsoring registrar. Users may consult the sponsoring registrar's
Whois database to view the registrar's reported date of expiration
for this registration.

Source:

Name server:

Response:

A 2 MX 2 NS 3 SOA 1 TXT 19 Rsize 5177

Whois

This whois service is provided by CentralNic Ltd and only containsinformation pertaining to Internet domain names we have registered forour customers. By using this service you are agreeing (1) not to use anyinformation presented here for any purpose other than determiningownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processesto obtain data from this service. Abuse of this service is monitored andactions in contravention of these terms will result in being permanentlyblacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/